As earnings season approaches, organizations face a constant battle between growth and efficiency. It’s a pendulum that swings between macroeconomic changes, business results, challenges and successes. Companies continually ask themselves whether they should accelerate marketing spend, look for ways to cut costs and assess whether their current budget is effectively targeted to generate an adequate return on investment (ROI). Typically, in boardrooms and leadership teams, general and administrative (G&A) systems are viewed as overhead – a cost item necessary to mitigate risk and meet compliance standards, rather than one that generates a return.
Companies often have a relatively large IT and security budget, but only a handful of people in the organization typically know how that budget is actually being used. Unfortunately, even fewer people can truly identify the ROI of each part of the stack that makes up this budget. For companies trying to set an appropriate cybersecurity budget, thinking about ROI shouldn’t be an afterthought, but rather a starting point. Spending $100,000 per year may seem like a lot, but it’s a good investment if it prevents $1 million in annual losses from cyberattacks.
Why cybersecurity is immune to the recession
Businesses of all sizes are susceptible to cyberattacks, no matter how many layers of defense they have in place. According to research from Harvard Business Review, organizations with 10,000 or more employees typically maintain nearly 100 security tools, but despite this, even well-established global companies continue to fall victim to cyberattacks. The sad truth is that it’s simply not possible to stop 100% of attacks. As a result, most organizations are beginning to shift their mindset away from prevention and toward focusing on limiting the potential damage an attack can cause and better understanding where their real vulnerabilities lie.
CIOs, CISOs, and the rest of the C-suite are ultimately responsible for protecting their company’s assets. Organizations spend millions of dollars on cybersecurity each year as the overall security market heads toward $300 billion in total addressable market (TAM). With this in mind, CISOs are looking for greater budget flexibility to ensure they are meeting their company’s goals. As the number of cyberattacks increases and becomes more sophisticated, many CISOs still struggle to answer basic questions about whether their company is secure and how well protected their assets really are.
To accurately answer these questions, CISOs must be able to continually measure and demonstrate cyber effectiveness to leadership. They must illustrate risks, validate controls, understand exposures assigned to security frameworks, and rationalize security spending while managing costs. The good news for security teams? Cybersecurity will always be critical for businesses. Even in lean times, companies will always need to invest in cybersecurity solutions to keep their data and other assets safe. As long as security teams can use data to justify which solutions are essential to their operations, cybersecurity will be effectively recession-proof.
Establish a cybersecurity budget plan
Under the Securities and Exchange Commission’s (SEC) recently launched reporting requirements to address cyber incidents, registrants must disclose in new Item 1.05 of Form 8-K any cybersecurity incident that the SEC determines is material. Companies must also describe material aspects of the nature, scope, and timing of the incident, along with its impact on the registrant. Form 10-K and Form 20-F disclosures will be required to be filed beginning with annual reports for fiscal years ending on or after December 15, 2023. Form 8-K and Form 6-K disclosures will be required to be filed beginning 90 days after the date of publication in the Federal Register or December 18, 2023, whichever is later.
This information doesn’t just appear magically, and gathering it requires having the right resources to not only detect potential security incidents, but also to effectively document both the course charted by the attacker and the mitigation efforts undertaken by the organization. That means it’s critical for organizations to have full visibility into their digital environments, with continuous monitoring capabilities that can detect and document changes as they occur. These visibility and continuous monitoring capabilities not only enable companies to comply with new compliance guidelines, but they also help establish a solid foundation on which to build a successful cybersecurity program. By effectively mapping their digital environments and testing them for known vulnerabilities, organizations can have a more accurate view of their unique risk profile and better understand the steps they need to take to improve their security posture.
In practice, this means that leaders must first take inventory of their data assets and their value to the business. Next, they must consider what they need to do to comply with industry regulations that may apply to their business, such as healthcare’s HIPAA or the European Union’s General Data Protection Regulation (GDPR). Do they need new solutions to enable additional visibility? Stronger endpoint protections? Expanded identity management capabilities? Once they have a firm understanding of what their goals are and the steps needed to achieve them, leaders should look at what their company’s overall IT budget is. If what a company needs is about 20-25% or less of their overall IT budget, then you probably have a useful figure to start with. Once you’ve completed that, it’s time to dig deeper into assessing and verifying what’s working and what’s not having any return on investment. Just because a company is spending money doesn’t mean the money is being spent in the right places.
Aligning security with business
This responsibility will largely fall on the shoulders of the CISO or CTO, and they will need to be able to effectively make and demonstrate their position to the CFO, COO, CEO, and other stakeholders. Since most business leaders tend to think in terms of how their decisions impact the company’s bottom line, it’s important to be able to properly articulate the return on investment that cybersecurity investments can have. Whether those returns come in the form of eliminating redundant solutions, streamlining security processes, or preventing costly breaches, framing things in a business context is the most effective way to ensure that security leaders and business decision-makers can align on their initiatives.
We have listed the best cloud antivirus.
This article was produced as part of TechRadarPro's Expert Insights channel, where we showcase the brightest and brightest minds in the tech industry today. The views expressed here are those of the author, and not necessarily those of TechRadarPro or Future plc. If you're interested in contributing, find out more here:
